hw3-sol.pdf - CS255 Introduction to Cryptography Winter 2011 Assignment#3 Solutions 1 Answer 1(a We have deve eeve(mod(N so that(N divides deve eeve 1(b

hw3-sol.pdf - CS255 Introduction to Cryptography Winter...

• Homework Help
• 5
• 86% (7) 6 out of 7 people found this document helpful

This preview shows page 1 - 2 out of 5 pages.

CS255: Introduction to Cryptography Winter 2011 Assignment #3: Solutions Answer 1. (a) We have d eve e - 1 eve ( mod φ ( N )) , so that φ ( N ) divides d eve · e eve - 1. (b) Pick a random nonzero g in Z N . In the unlikely event that g 0 ( mod p ) , then gcd ( p , N ) = p , and we have factored N , so assume that this didn’t happen. Let τ p ( g ) , τ q ( g ) (which we don’t yet know) be the largest powers of 2 that divide ord p ( g ) and ord q ( g ) , respectively. Without loss of generality, let τ p ( g ) τ q ( g ) . Note that if g is not a quadratic residue mod p , which happens with probability 1 2 , then τ p ( g ) = τ ( p - 1 ) , and otherwise τ p ( g ) < τ ( p - 1 ) . Since τ p ( g ) and τ q ( g ) are independent, no matter what τ q ( g ) is, the probability that τ p ( g ) = τ q ( g ) is at most 1 2 . Now compute x : = g K ( K ) , then repeatedly square x . We know that x τ q ( g ) 1 ( mod N ) , so consider the previous term y : = x τ q ( g ) / 2 , if there is one. If τ p ( g ) < τ q ( g ) , which happens with probability 1 2 , then y 1 ( mod p ) , but y 6≡ 1 ( mod q ) . Note that in this case we are guaranteed to have a y , because τ q ( g ) > τ p ( g ) 1. Then gcd ( y - 1, N ) = p , and we have factored N . Since the above takes roughly cubic time in log N , and works with probability 1 2 each time, we will factor N in cubic expected time. Answer 2. First, let us define t : = d| X | / B e as the hint suggests. We start by building a table T in the following way: first, choose a random element k , and add k to T . Repeatedly apply f to k until one of the two following things happen: if we reach k again before we have applied f to k exactly t times, then delete k from T . If we have not reached k again after applying f to k exactly t times (i.e. we are in a cycle of length t + 1) then add the element we get after applying f to k exactly t times to the table t . Let us call this new element j . We then apply f to j either until we reach k again (in which case we stop) or until we have applied f exactly t times, at which point we add the resulting element into the table and continue onward in the same fashion as we have been doing. When we do reach k again, which must happen eventually due to the fact that every element in the group must be a cycle, we choose some element that we have not come across and repeat the process above as though the new element were k . We can repeat this process until we have gone through all of the elements. Of course, this algorithm takes quite some time, but since we have no constraints at this time, we are free to use a sluggish algorithm (and this is why we also don’t bother to mention implementation here—any implementation that works is fine). Now we explain how to invert an input y X in time O ( t ) . Our procedure is relatively simple. First, if y is in our table, then we are done, so we clearly do not have to worry about these cases. So suppose that y is not in the table. In this case, we apply f to y repeatedly until we reach an element in our table or until we reach y again, always keeping track of the previous element. Note that if y is in a cycle that does not contain a table entry, then the cycle length must be less than t